Uncontrolled External Site Redirect - Host Header Injection
Need
Prevent malicious redirection and potential SSRF attacks
Context
• Usage of Elixir for functional and concurrent programming
• Usage of Plug.Conn for handling HTTP connections in Elixir
• Usage of Plug.Conn for request handling
Description
1. Non compliant code
defmodule VulnerableController do
use MyApp.Web, :controller
def redirect(conn, _params) do
redirect_to = conn.host
conn
|> put_resp_header("location", redirect_to)
end...The following Elixir code is vulnerable because it uses the `host` from the `conn` object directly to construct a redirection URL. An attacker could provide a malicious host in the HTTP request's Host header to cause redirection to an external site or possibly exploit SSRF vulnerabilities.
2. Steps
• Add a function to validate the host before using it for redirection.
• Do not use the host from the incoming HTTP request directly for generating redirection responses. Instead, use a predefined and validated list of acceptable hosts or a fixed host configured in the application settings.
• Use pattern matching or similar to ensure the host matches the expected format.
3. Secure code example
defmodule SecureController do
use MyApp.Web, :controller
def redirect(conn, _params) do
redirect_to = "https://secure.example.com"
conn
|> put_resp_header("location", redirect_to)
end...The following Elixir code is secure because it does not use the `host` from the `conn` object directly. Instead, it uses a predefined host for the redirection, preventing potential misuse of the Host header.